mirror of
https://github.com/matrix-org/dendrite.git
synced 2025-12-12 09:23:09 -06:00
Login: Add Token based authentication
Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com>
This commit is contained in:
Anant Prakash
parent
6b55972183
commit
a85743b00c
|
|
@ -15,6 +15,7 @@
|
|||
package routing
|
||||
|
||||
import (
|
||||
"database/sql"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
|
|
@ -28,6 +29,14 @@ import (
|
|||
"github.com/matrix-org/util"
|
||||
)
|
||||
|
||||
type loginType string
|
||||
|
||||
// https://matrix.org/docs/spec/client_server/r0.3.0.html#login
|
||||
const (
|
||||
PasswordBased loginType = "m.login.password"
|
||||
TokenBased loginType = "m.login.token"
|
||||
)
|
||||
|
||||
type loginFlows struct {
|
||||
Flows []flow `json:"flows"`
|
||||
}
|
||||
|
|
@ -37,10 +46,15 @@ type flow struct {
|
|||
Stages []string `json:"stages"`
|
||||
}
|
||||
|
||||
type passwordRequest struct {
|
||||
User string `json:"user"`
|
||||
Password string `json:"password"`
|
||||
InitialDisplayName *string `json:"initial_device_display_name"`
|
||||
type loginRequest struct {
|
||||
Type loginType `json:"type"`
|
||||
User string `json:"user"`
|
||||
Medium string `json:"medium"`
|
||||
Address string `json:"address"`
|
||||
Password string `json:"password"`
|
||||
Token string `json:"token"`
|
||||
DeviceID string `json:"device_id"`
|
||||
InitialDisplayName *string `json:"initial_device_display_name"`
|
||||
}
|
||||
|
||||
type loginResponse struct {
|
||||
|
|
@ -50,25 +64,112 @@ type loginResponse struct {
|
|||
DeviceID string `json:"device_id"`
|
||||
}
|
||||
|
||||
func passwordLogin() loginFlows {
|
||||
func defaultPasswordLogin() loginFlows {
|
||||
f := loginFlows{}
|
||||
s := flow{"m.login.password", []string{"m.login.password"}}
|
||||
s := flow{string(PasswordBased), []string{string(PasswordBased)}}
|
||||
f.Flows = append(f.Flows, s)
|
||||
return f
|
||||
}
|
||||
|
||||
func handlePasswordLogin(
|
||||
r loginRequest, accountDB *accounts.Database, deviceDB *devices.Database,
|
||||
req *http.Request, cfg config.Dendrite) *util.JSONResponse {
|
||||
|
||||
localpart := r.User
|
||||
acc, err := accountDB.GetAccountByPassword(req.Context(), localpart, r.Password)
|
||||
|
||||
if err != nil {
|
||||
// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows
|
||||
// but that would leak the existence of the user.
|
||||
return &util.JSONResponse{
|
||||
Code: 403,
|
||||
JSON: jsonerror.Forbidden("username or password was incorrect, or the account does not exist"),
|
||||
}
|
||||
}
|
||||
|
||||
token, err := auth.GenerateAccessToken()
|
||||
if err != nil {
|
||||
httputil.LogThenError(req, err)
|
||||
}
|
||||
|
||||
// TODO: Use the device ID in the request
|
||||
dev, err := deviceDB.CreateDevice(
|
||||
req.Context(), acc.Localpart, nil, token, r.InitialDisplayName,
|
||||
)
|
||||
if err != nil {
|
||||
return &util.JSONResponse{
|
||||
Code: 500,
|
||||
JSON: jsonerror.Unknown("failed to create device: " + err.Error()),
|
||||
}
|
||||
}
|
||||
|
||||
return &util.JSONResponse{
|
||||
Code: 200,
|
||||
JSON: loginResponse{
|
||||
UserID: dev.UserID,
|
||||
AccessToken: dev.AccessToken,
|
||||
HomeServer: cfg.Matrix.ServerName,
|
||||
DeviceID: dev.ID,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func handleTokenLogin(
|
||||
r loginRequest, deviceDB *devices.Database,
|
||||
req *http.Request, cfg config.Dendrite) *util.JSONResponse {
|
||||
if r.Token == "" {
|
||||
return &util.JSONResponse{
|
||||
Code: 401,
|
||||
JSON: jsonerror.MissingToken("missing access token"),
|
||||
}
|
||||
}
|
||||
|
||||
dev, err := deviceDB.GetDeviceByAccessToken(req.Context(), r.Token)
|
||||
if err != nil {
|
||||
if err == sql.ErrNoRows {
|
||||
return &util.JSONResponse{
|
||||
Code: 401,
|
||||
JSON: jsonerror.UnknownToken("Unknown token"),
|
||||
}
|
||||
}
|
||||
return &util.JSONResponse{
|
||||
Code: 401,
|
||||
JSON: jsonerror.Unknown("Unexpected Server error occurred"),
|
||||
}
|
||||
}
|
||||
|
||||
if dev.ID != r.DeviceID {
|
||||
// The access token specified in the request was generated for a
|
||||
// different device.
|
||||
return &util.JSONResponse{
|
||||
Code: 403,
|
||||
JSON: jsonerror.Forbidden("The access token was generated for a different device."),
|
||||
}
|
||||
}
|
||||
|
||||
return &util.JSONResponse{
|
||||
Code: 200,
|
||||
JSON: loginResponse{
|
||||
UserID: dev.UserID,
|
||||
AccessToken: dev.AccessToken,
|
||||
HomeServer: cfg.Matrix.ServerName,
|
||||
DeviceID: dev.ID,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Login implements GET and POST /login
|
||||
func Login(
|
||||
req *http.Request, accountDB *accounts.Database, deviceDB *devices.Database,
|
||||
cfg config.Dendrite,
|
||||
) util.JSONResponse {
|
||||
if req.Method == "GET" { // TODO: support other forms of login other than password, depending on config options
|
||||
if req.Method == "GET" {
|
||||
return util.JSONResponse{
|
||||
Code: 200,
|
||||
JSON: passwordLogin(),
|
||||
JSON: defaultPasswordLogin(),
|
||||
}
|
||||
} else if req.Method == "POST" {
|
||||
var r passwordRequest
|
||||
var r loginRequest
|
||||
resErr := httputil.UnmarshalJSONRequest(req, &r)
|
||||
if resErr != nil {
|
||||
return *resErr
|
||||
|
|
@ -82,12 +183,10 @@ func Login(
|
|||
|
||||
util.GetLogger(req.Context()).WithField("user", r.User).Info("Processing login request")
|
||||
|
||||
// r.User can either be a user ID or just the localpart... or other things maybe.
|
||||
localpart := r.User
|
||||
if strings.HasPrefix(r.User, "@") {
|
||||
var domain gomatrixserverlib.ServerName
|
||||
var err error
|
||||
localpart, domain, err = gomatrixserverlib.SplitID('@', r.User)
|
||||
_, domain, err = gomatrixserverlib.SplitID('@', r.User)
|
||||
if err != nil {
|
||||
return util.JSONResponse{
|
||||
Code: 400,
|
||||
|
|
@ -103,41 +202,10 @@ func Login(
|
|||
}
|
||||
}
|
||||
|
||||
acc, err := accountDB.GetAccountByPassword(req.Context(), localpart, r.Password)
|
||||
if err != nil {
|
||||
// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows
|
||||
// but that would leak the existence of the user.
|
||||
return util.JSONResponse{
|
||||
Code: 403,
|
||||
JSON: jsonerror.Forbidden("username or password was incorrect, or the account does not exist"),
|
||||
}
|
||||
}
|
||||
|
||||
token, err := auth.GenerateAccessToken()
|
||||
if err != nil {
|
||||
httputil.LogThenError(req, err)
|
||||
}
|
||||
|
||||
// TODO: Use the device ID in the request
|
||||
dev, err := deviceDB.CreateDevice(
|
||||
req.Context(), acc.Localpart, nil, token, r.InitialDisplayName,
|
||||
)
|
||||
if err != nil {
|
||||
return util.JSONResponse{
|
||||
Code: 500,
|
||||
JSON: jsonerror.Unknown("failed to create device: " + err.Error()),
|
||||
}
|
||||
}
|
||||
|
||||
return util.JSONResponse{
|
||||
Code: 200,
|
||||
JSON: loginResponse{
|
||||
UserID: dev.UserID,
|
||||
AccessToken: dev.AccessToken,
|
||||
HomeServer: cfg.Matrix.ServerName,
|
||||
DeviceID: dev.ID,
|
||||
},
|
||||
if r.Type == PasswordBased {
|
||||
return *handleTokenLogin(r, deviceDB, req, cfg)
|
||||
}
|
||||
return *handlePasswordLogin(r, accountDB, deviceDB, req, cfg)
|
||||
}
|
||||
return util.JSONResponse{
|
||||
Code: 405,
|
||||
|
|
|
|||
Loading…
Reference in a new issue